Technical Analysis and Overview of Wannacry Ransomware

A recent ransomware outbreak occurred termed as “WannaCry”, a different kind of ransomware as compared to the usual traditional ransomwares. This ransomware possesses worm like features, uses Eternalblue exploit which exploits the Microsoft Windows SMB Server vulnerability (MS 17-010). It scans for the vulnerable computers over the network and then performs the attack rather than the usual ransomware scenario which uses phishing mails, drive-by-download URLs for performing the infection. The important part to note is that the ransomware encrypts the initially infected system and spreads to the network exploiting the SMB vulnerability.

Malware propagation and execution flow

Malware Propagation and Execution Flow

Figure 1

Components of the Malware

WannaCry Ransomware comes in a package of 4 different components

Carrier/dropper worm which can reach the victim machine either through regular method of phishing, infected hyperlinks or other infected systems. This consists of the kill switch, and second stage dropper and the spreading mechanism to exploit the SMB vulnerability. More details are given below

Ransomware dropper which runs as a service either by the worm or by itself, and containing a password protected archive named as XIA in the resource section.

Resource of dropper

Figure 2

Decryptor which is dropped from the mentioned resource showing end-user message and demands payment.

Ransomware (t.wnry) is the encrypted blob as part of the archive, decrypted by the dropper and executes the payload

Ransomware componentFigure 3

File Analysis

It was observed that the sample first checks for the kill switch domains “hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” and “ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com” if found active the sample doesn’t execute it’s malicious behaviour.

The malware also checks for the mutex (MsWinZonesCacheCounterMutex) and if found it may not perform the infection on the same machine the second time. This also avoids multiple infections and in turn multiple generations of private key.

Wannacry Mutex

Figure 4

The malware consists of the Bitcoin addresses shown below and displays any one of those Bitcoins address randomly for the specific machines at the time of infection

Bitcoin Wallets

Figure 5

The file then extracts its contents using the password “WNcry2ol7”, and then it drops all files with hidden attributes and grants access to all the files with “icacls_grant_everyone” command as shown below:

Archive extraction and payload

Figure 6

The content of the archive details as below

Archive contents

b.wnry

Ransomware background

c.wnry

Payment hyperlinks

r.wrny

Ransomware notes

u.wnry

Wannadecrytor binary

As shown below from our lab, the process tree for the execution of the sample till full encryption and user warning message shown

Execution process tree

Economic Impact

Though WannaCry has had more outreach than any other ransomware in terms of infection and global penetration, still it is noteworthy to mention the actual profit generated by the ransomware is pretty “low” compared to its much less known predecessors like Sage. As of 23 May 2017 following Bitcoin transactions have been traced to the wallets used by the ransomware

Revenue generation

As of today, the revenue generated is $106343.63 through the wallets used by the ransomware. Which raises a question whether this piece of malware really had the sole intention of earning quick revenue or, more importantly, is this the tip of iceberg with much more virulent variants to come. As of now the relative immaturity in the code combined with a simple kill switch and almost no obfuscation points to a quickly put together malware to cash in on the EternalBlue exploit.